Active Directory Setup
The following instructions walk you through setting up the TimeForce
program for Active Directory login.
Note: Before performing the following
steps you must first configure Internet Information Services (IIS). See
Active Directory Configuration
for more information.
System Settings
Specify the following settings in the "System Setup" section
of the TimeForce program:
Log
into the TimeForce program normally. If you are prompted for a Windows
username and password before the login screen appears, this means that
permissions need to be set for "Read" access on the "C:\Inetput\wwwroot\qqest\"
directory.
Note: Adding "Read Access"
to the "Everyone" group will ensure that all users can access
the program. However, your IT staff should decide how access rights to
the Qqest directory should be granted.
Once
logged into the program, click on the main "Admin" navigation
tab, and then on the Settings link
located in the System Tools section
of the screen.
Click
on the Edit link located under the
System Setup heading.
Browse
to the Active Directory/LDAP Integration
section of the screen. Put a check mark in the "Enable Active Directory/LDAP
Integration" option. Additional setting appear.
In
the Connection String field, click
on the Suggest link. If the Web Server
is part of the Active Directory, the LDAP string will be populated automatically.
If not, you will receive an error indication that the Web Server cannot
access the Active Directory. In this case, the IP address of the LDAP
server should be entered.
Specify
a Connection Username and a Connection Password. Often, a system
admin will create an Active Directory account specifically for TimeForce
and this purpose. The only requirement is that the user has the ability
to read the Active Directory users who are using TimeForce.
With
the connection username and password specified, click on the Test
link in the Test Connection field.
This will determine if a connection to the Active Directory or LDAP server
has been established.
If
the connection to the Active Directory was successful, a message indicating
successful connection for manual and auto logins appears.
If
you are using LDAP over Active Directory, the message will most likely
indicate that you can only use a manual login.
If
the connection string or username/password is incorrect, a message will
appear indicating that successful connection could not be established.
If
you wish to use Auto Login and to test that the login is successful, click
on the link in the LDAP Auto Login
field.
This
link should read: "http://{WEBSERVER}/qqest/Login/Autologin.asp?c={COMPANYCODE}"
Failure
to specify the appropriate Company Code will result in an error when logging
into the system.
This
URL does not require any credentials to be specified. The Windows Credentials
that were used when they logged into their computer are used to authenticate
TimeForce automatically.
Users
will now use this link to access TimeForce instead of the default login
page. Program shortcuts should be modified appropriately.
If
you would like employees to login to TimeForce using their LDAP credentials,
test the login by clicking on the link in the LDAP
Manual Login field.
This
link should read: "hhtp://{WEBSERVER}/qqest/Login/LDAP.asp?c=[COMPANYCODE}"
Failure
to specify the appropriate Company Code will result in an error when logging
into the system.
Users
will not use this link to access TimeForce instead of the default login
page. Program shortcuts should be modified appropriately.
To
determine the format of the username when using LDAP login, the system
administrator should choose between "userPrincipalName" and
"sAMAccountName" in the LDAP
Login Format field.
Specifying
"userPrincipalName" requires that users logging in would have
to enter their username as "{USERNAME}@{DOMAIN}." If
the LDAP Default
Domain is specified, only the
username must be entered.
Specifying
"sAMAccountName" requires that users logging in would have to
enter their username as "{DOMAIN}\{USERNAME}" If the LDAP
Default Domain is specified, only the username must be entered.
Specify
the LDAP Default Domain, if desired.
See the notes of step #10 above for more information.
Click
on the [SAVE SETTINGS] icon in either the upper or lower right-hand corners
of the screen to save the changes that you have made.
Assigning Active Directory Access to TimeForce Users
Before TimeForce users
will be able to log in, you must first assign them to the appropriate
Active Directory user account.
From
the main "Admin" tab, click on the User
Security link located under the System
Tools section of the screen.
Enter
the desired search criteria to bring up the users that you would like
to assign to an Active Directory account. Clicking on the [DISPLAY] icon
without specifying search criteria will bring up all
users in the system.
From
the list of displayed users, click on the link in the User
Name column. The User Info
screen appears to the right.
The
LDAP/AD User field appears in
the list of displayed user settings. Select the appropriate account from
the drop-down menu, and click on the [UPDATE] icon.
Repeat these steps for each desired TimeForce
user.
Once an Active Directory
account is applied to a TimeForce user, the Active Directory username
is listed instead of the TimeForce username. This name will appear in
green. A username in red indicates that the user will not be able to log
in. Either the username is wrong, or the System Settings connection does
not allow access to that particular user.
You should now be able
to log in using one of the URL's from steps 8 or 9 in the "System
Settings" section above. Remember that all shortcuts to the TimeForce
program must be modified to use one of these two new URL's. |